Merge pull request #1122 from github/3.8.3-patch

3.8.3 patch

Author: dooleydevin

.github/linters/.yaml-lint.yml

@@ -0,0 +1,53 @@
+---
+###########################################
+# These are the rules used for            #
+# linting all the yaml files in the stack #
+# NOTE:                                   #
+# You can disable line with:              #
+# # yamllint disable-line                 #
+###########################################
+rules:
+  braces:
+    level: warning
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: 1
+    max-spaces-inside-empty: 5
+  brackets:
+    level: warning
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: 1
+    max-spaces-inside-empty: 5
+  colons:
+    level: warning
+    max-spaces-before: 0
+    max-spaces-after: 1
+  commas:
+    level: warning
+    max-spaces-before: 0
+    min-spaces-after: 1
+    max-spaces-after: 1
+  comments: disable
+  comments-indentation: disable
+  document-end: disable
+  document-start: disable
+  empty-lines:
+    level: warning
+    max: 2
+    max-start: 0
+    max-end: 0
+  hyphens:
+    level: warning
+    max-spaces-after: 1
+  indentation:
+    level: warning
+    spaces: consistent
+    indent-sequences: true
+    check-multi-line-strings: false
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable

.github/workflows/build-and-release.yml

@@ -0,0 +1,139 @@
+---
+name: Build and Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      gh-token:
+        description: 'GitHub Token - used to create a commit in the backup-utils repo'
+        required: true
+        type: string
+      version:
+        description: 'Version - patch version of the release (e.g. x.y.z)'
+        required: true
+        type: string
+      draft:
+        description: 'Draft - true if the release should be a draft'
+        required: true
+        type: boolean
+        default: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      # resulting token still gets denied by the backup-utils repo
+      # see: https://github.com/actions/create-github-app-token/pull/46
+      # - uses: timreimherr/create-github-app-token@main
+      #   id: app-token
+      #   with:
+      #     # required
+      #     app_id: ${{ vars.RELEASE_CONTROLLER_APP_ID }}
+      #     private_key: ${{ secrets.RELEASE_CONTROLLER_APP_PRIVATE_KEY }}
+      #     owner: ${{ github.repository_owner }}
+      #     repositories: backup-utils,backup-utils-private
+      - name: Checkout backup-utils-private
+        uses: actions/checkout@v4
+        with:
+          token: ${{ github.event.inputs.gh-token }}
+          repository: github/backup-utils-private
+      - name: Install dependencies
+        run: |
+          sudo apt-get update -y
+          sudo apt-get install -y moreutils debhelper help2man devscripts gzip
+      - name: Create tag # this is required for the build scripts
+        run: |
+          git config user.name "${{ github.actor }}"
+          git config user.email "[email protected]"
+          git tag -a "v${{ github.event.inputs.version }}" -m "v${{ github.event.inputs.version }}"
+          git push origin "v${{ github.event.inputs.version }}"
+      - name: Package deb
+        run: |
+          ./script/package-deb
+      # many need to remove this once release-notes compilation is automated
+      - name: Rename deb artifact
+        run: |
+            for file in dist/github-backup-utils_*_all.deb; do
+              if [[ -f "$file" ]]; then
+                mv "$file" "dist/github-backup-utils_${{ github.event.inputs.version }}_all.deb"
+              fi
+            done
+      - name: Upload deb artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: github-backup-utils_${{ github.event.inputs.version }}_all.deb
+          path: |
+            dist/github-backup-utils_${{ github.event.inputs.version }}_all.deb
+      - name: Package tarball
+        run: |
+          ./script/package-tarball
+      - name: Upload tarball artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: github-backup-utils-v${{ github.event.inputs.version }}.tar.gz
+          path: |
+            dist/github-backup-utils-v${{ github.event.inputs.version }}.tar.gz
+  release:
+    needs: build
+    runs-on: ubuntu-latest
+    outputs:
+      commit_hash: ${{ steps.empty-commit.outputs.commit_hash }}
+    steps:
+      # resulting token still gets denied by the backup-utils repo
+      # see: https://github.com/actions/create-github-app-token/pull/46
+      # - uses: timreimherr/create-github-app-token@main
+      #   id: app-token
+      #   with:
+      #     app_id: ${{ vars.RELEASE_CONTROLLER_APP_ID }}
+      #     private_key: ${{ secrets.RELEASE_CONTROLLER_APP_PRIVATE_KEY }}
+      #     owner: ${{ github.repository_owner }}
+      #     repositories: backup-utils,backup-utils-private
+      - name: Checkout backup-utils
+        uses: actions/checkout@v4
+        with:
+          token: ${{ github.event.inputs.gh-token }}
+          repository: github/backup-utils
+          ref: master
+      - name: Create empty commit
+        uses: stefanzweifel/git-auto-commit-action@v4
+        id: empty-commit
+        with:
+          branch: master
+          commit_message: "${{ github.event.inputs.version }} release"
+          commit_user_name: "${{ github.actor }}"
+          commit_user_email: "[email protected]"
+          commit_options: "--allow-empty"
+          skip_dirty_check: true
+      - name: Checkout backup-utils
+        uses: actions/checkout@v4
+        with:
+          token: ${{ github.event.inputs.gh-token }}
+          repository: github/backup-utils-private
+      - name: Download deb artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: github-backup-utils_${{ github.event.inputs.version }}_all.deb
+      - name: Download tarball artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: github-backup-utils-v${{ github.event.inputs.version }}.tar.gz
+      - name: Create Release
+        uses: ncipollo/release-action@v1
+        with:
+          token: ${{ github.event.inputs.gh-token }}
+          repo: backup-utils
+          name: |
+            GitHub Enterprise Server Backup Utilities v${{ github.event.inputs.version }}
+          artifacts: |
+            github-backup-utils-v${{ github.event.inputs.version }}.tar.gz, \
+            github-backup-utils_${{ github.event.inputs.version }}_all.deb
+          tag: v${{ github.event.inputs.version }}
+          commit: ${{ steps.empty-commit.outputs.commit_hash }}
+          bodyFile: release-notes/${{ github.event.inputs.version }}.md
+          draft: ${{ github.event.inputs.draft }}
+          allowUpdates: true
+          artifactContentType: "raw"
+
+
+
+

.github/workflows/lint.yml

@@ -1,3 +1,4 @@
+---
 name: Lint Code Base
 
 on:
@@ -21,3 +22,4 @@ jobs:
         env:
           VALIDATE_ALL_CODEBASE: false
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          FILTER_REGEX_EXCLUDE: .*release-notes/.*

.releaseignore

@@ -0,0 +1,2 @@
+ownership.yaml
+.github

bin/ghe-host-check

@@ -91,13 +91,19 @@ if ghe-ssh "$host" -- \
   CLUSTER=true
 fi
 
-# ensure all nodes in the cluster are running the same version
+# ensure all nodes in the cluster are online/reachable and running the same version
 if "$CLUSTER"; then
+  online_status=$(ghe-ssh "$host" ghe-cluster-host-check)
+  if [ "$online_status" != "Cluster is ready to configure." ]; then
+    echo "Error: Not all nodes are online! Please ensure cluster is in a healthy state before using backup-utils." 1>&2
+    exit 1
+  fi
+
   node_version_list=$(ghe-ssh "$host" ghe-cluster-each -- ghe-version)
   distinct_versions=$(echo "$node_version_list" | awk '{split($0, a, ":"); print a[2]}' | awk '{print $4}' | uniq | wc -l)
   if [ "$distinct_versions" -ne 1 ]; then
-    echo "$node_version_list" 1>&2
-    echo "Error: Not all nodes are running the same version! Please ensure all nodes are running the same version before using backup-utils." 1>&3
+    echo "Version mismatch: $node_version_list" 1>&2
+    echo "Error: Not all nodes are running the same version! Please ensure all nodes are running the same version before using backup-utils." 1>&2
     exit 1
   fi
 fi

docs/requirements.md

@@ -5,8 +5,7 @@ storage and must have network connectivity with the GitHub Enterprise Server app
 
 ## Backup host requirements
 
-Backup host software requirements are modest: Linux or other modern Unix operating
-system (Ubuntu is highly recommended) with [bash][1], [git][2], [OpenSSH][3] 5.6 or newer, [rsync][4] v2.6.4 or newer, and [jq][11] v1.5 or newer.
+Backup host software requirements are modest: Linux or other modern Unix operating system (Ubuntu is highly recommended) with [bash][1], [git][2], [OpenSSH][3] 5.6 or newer, [rsync][4] v2.6.4 or newer* (see [below](#april-2023-update-of-rsync-requirements) for exceptions), [jq][11] v1.5 or newer, and [bc][12] v1.07 or newer.
 
 The parallel backup and restore feature will require [GNU awk][10] and [moreutils][9] to be installed.
 
@@ -79,3 +78,4 @@ Due to how some components of Backup Utilities (e.g. MSSQL) take incremental bac
 [9]: https://joeyh.name/code/moreutils
 [10]: https://www.gnu.org/software/gawk
 [11]: https://stedolan.github.io/jq/
+[12]: https://www.gnu.org/software/bc/

script/package-deb

@@ -8,6 +8,9 @@ set -e
 # Change into project root
 cd "$(dirname "$0")"/..
 
+# Fetch tags from remote repository
+git fetch --tags
+
 # Basic package name and version.
 PKG_BASE="github-backup-utils"
 PKG_VERS="$(git describe --tags)"
@@ -22,6 +25,14 @@ mkdir -p dist/debuild
 distdir="$(pwd)/dist/debuild/$PKG_NAME"
 git clone -q . "$distdir"
 cd "$distdir"
+
+echo "Removing files listed in .releaseignore ..."
+while IFS= read -r line; do
+    rm -rf "$line"
+done < .releaseignore
+
+echo "Removing .releaseignore ..."
+rm -f .releaseignore
 git checkout -q "$PKG_HEAD"
 
 debuild -uc -us 1>&2

script/package-tarball

@@ -8,11 +8,24 @@ set -e
 # Change into project root
 cd "$(dirname "$0")"/..
 
+# Fetch tags from remote repository
+git fetch --tags
+
 # Basic package name and version.
 PKG_BASE="github-backup-utils"
 PKG_VERS="$(git describe --tags)"
 PKG_NAME="${PKG_BASE}-${PKG_VERS}"
 
+# Remove all files or directories listed in .releaseignore
+echo "Removing files listed in .releaseignore ..."
+while IFS= read -r line; do
+    rm -rf "$line"
+done < .releaseignore
+
+# Remove the .releaseignore file itself
+echo "Removing .releaseignore ..."
+rm -f .releaseignore
+
 # Run git-archive to generate tarball
 echo "Creating ${PKG_NAME}.tar.gz ..."
 mkdir -p dist

share/github-backup-utils/ghe-backup-config

@@ -207,8 +207,10 @@ ghe_parallel_check() {
   GHE_PARALLEL_COMMAND="parallel"
   local x
   for x in \
+      /usr/bin/parallel-moreutils \
       /usr/bin/parallel.moreutils \
       /usr/bin/parallel_moreutils \
+      /usr/bin/moreutils-parallel \
       /usr/bin/moreutils.parallel \
       /usr/bin/moreutils_parallel \
       ; do

share/github-backup-utils/ghe-backup-settings

@@ -86,10 +86,13 @@ if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.7.0)" ]; then
   cat "$GHE_SNAPSHOT_DIR/encrypted-column-encryption-keying-material" | sed 's:.*;::' > "$GHE_SNAPSHOT_DIR/encrypted-column-current-encryption-key"
 fi
 
-backup-secret "secret scanning encrypted secrets current storage key" "secret-scanning-encrypted-secrets-current-storage-key" "secrets.secret-scanning.encrypted-secrets-current-storage-key"
-backup-secret "secret scanning encrypted secrets delimited storage keys" "secret-scanning-encrypted-secrets-delimited-storage-keys" "secrets.secret-scanning.encrypted-secrets-delimited-storage-keys"
-backup-secret "secret scanning encrypted secrets current shared transit key" "secret-scanning-encrypted-secrets-current-shared-transit-key" "secrets.secret-scanning.encrypted-secrets-current-shared-transit-key"
-backup-secret "secret scanning encrypted secrets delimited shared transit keys" "secret-scanning-encrypted-secrets-delimited-shared-transit-keys" "secrets.secret-scanning.encrypted-secrets-delimited-shared-transit-keys"
+# secret scanning encrypted secrets keys were added in GHES 3.8.0
+if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" ]; then
+    backup-secret "secret scanning encrypted secrets current storage key" "secret-scanning-encrypted-secrets-current-storage-key" "secrets.secret-scanning.encrypted-secrets-current-storage-key"
+    backup-secret "secret scanning encrypted secrets delimited storage keys" "secret-scanning-encrypted-secrets-delimited-storage-keys" "secrets.secret-scanning.encrypted-secrets-delimited-storage-keys"
+    backup-secret "secret scanning encrypted secrets current shared transit key" "secret-scanning-encrypted-secrets-current-shared-transit-key" "secrets.secret-scanning.encrypted-secrets-current-shared-transit-key"
+    backup-secret "secret scanning encrypted secrets delimited shared transit keys" "secret-scanning-encrypted-secrets-delimited-shared-transit-keys" "secrets.secret-scanning.encrypted-secrets-delimited-shared-transit-keys"
+fi
 
 # Backup argon secrets for multiuser from ghes version 3.8 onwards
 if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" ]; then